All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What can I do about cold data from NMON Performance Monitor for Unix and Linux Systems?

2004sl0601
New Member
‎05-04-2016 09:38 PM

Hello guilhem.marchand:

I'm hoping to get some help with the NMON app because I'm having trouble getting anything to show up in the nmon_data sourcetype. In our environment, we're in "cold" mode. I have some files that generated by nmon tool. I want to upload and monitor local file directory, (for example:/mnt/NFS-SHARE/nmon-repository/).

I have done the following work, but analytical results were not obtained.
1) Installation of the NMON app
2) Upload a .nmon file to /mnt/NFS-SHARE/nmon-repository/
3) Create a /nmon/local/inputs.conf

Example:

 [monitor:///mnt/NFS-SHARE/nmon-repository/*/*nmon]
 disabled = false
 index = nmon
 sourcetype = nmon_processing 
 crcSalt = <SOURCE>

4) After adding the input, restart Splunk.
5) Finally, in the search bar:

   index=nmon sourcetype=nmon_processing

My data is standard nmon file and this result is wrong, but I don't know how to modify it. Please tell me which step I did wrong.

Thanks you very much!

0 Karma
Reply

guilmxm
Influencer
‎05-18-2016 12:01 PM

Hello,

As we've seen together after our exchanges, your problem comes from the nmon data sample you are trying to index, not from any trouble with the app or your configuration.

Your nmon file is identified as 'localhost' for some reason, most probably the server where you generated the nmon data is not correctly configured.

The app will refuse to manage nmon data identified as from "localhost" and not a real hostname (can be anything of your choice, FQDN or not, as long as it is compliant with host names definition)
If you want to enforce the indexing of the bad nmon files, please simply replace the "localhost" pattern in the file by the server hostname.

Cheers,

Guilhem

0 Karma
Reply

guilmxm
Influencer
‎05-06-2016 04:21 AM

Right, let's restart from the beginning 🙂

Please follow these steps:

  1. Have the nmon core app installed in your instance. (i guess you are running a standalone instance as far as i understand from your messages)

  2. Create a "local/inputs.conf" in /opt/splunk/etc/apps/nmon/

See examples of inputs:
http://nmonsplunk.wikidot.com/documentation:installation:centralrepositories

If you put the nmon files at the root directory of your share:

[monitor:///mnt/NFS-SHARE/nmon-repository/*.nmon]
disabled = false
index = nmon
sourcetype = nmon_processing
crcSalt = <SOURCE>

If you have root directories in your share, for example if you have directories named with your server's host name:

Let's say for the example, that you have:

/mnt/NFS-SHARE/nmon-repository/myserver1/*.nmon

You can use:

[monitor:///mnt/NFS-SHARE/nmon-repository/*/*.nmon]
disabled = false
index = nmon
sourcetype = nmon_processing
crcSalt = <SOURCE>

If you have more sub-directories, let's say you have for example:

/mnt/NFS-SHARE/nmon-repository/2016_05_06/myserver1/*.nmon

Then, you can use the "..." directive will go through any subdirectory:

[monitor:///mnt/NFS-SHARE/nmon-repository/.../*.nmon]
disabled = false
index = nmon
sourcetype = nmon_processing
crcSalt = <SOURCE>

I think your problem comes from here, the stanza you have used requires you to have .nmon files placed in your main share directory, but you mentionned that you just have put an nmon file in the share which cannot work as you use "monitor:///mnt/NFS-SHARE/nmon-repository//*.nmon"

  1. Restart Splunk

  2. Ensure you have placed *.nmon files where is it required depending on your needs

  3. Look at splunkd.log, you should see messages of Splunk managing the nmon files you are monitoring

  4. Look at the nmon_processing and nmon_data sourcetype in the nmon index, you will see your data

About the "cache" data:

The application will generate some cache data in /opt/splunk/var/run/nmon.
These cache will be:

  • the nmon file of the local machine if you have activate local nmon collection
  • various information about managed servers

It is not usually required to clean this directory unless you want for example to force the application to re-generate nmon configuration for example, but your problem does not come from there.

0 Karma
Reply

guilmxm
Influencer
‎05-05-2016 01:08 PM

Hi,

Managing cold nmon data repositories is a standard behavior of the application, it is normally quite easy to achieve, please have a look at the trouble shooting guide:

http://nmonsplunk.wikidot.com/documentation:userguide:troubleshoot:troubleguide

In you case, i suggest starting from "Manual processing for debugging purposes", in a few words:

  • Stop Splunk
  • Execute a manual parser call to verify the parsing step (to prevent any trouble, you can first remove the $SPLUNK_HOME/var/run/nmon directory to clean any local cache)
  • Ensure that csv files are being correctly generated

And continue the trouble shoot guide.

Guilhem

0 Karma
Reply

2004sl0601
New Member
‎05-05-2016 11:20 PM

Hi,
I had seen that guide, but there are some still problems, I am so puzzled:
1) create two directorys: csv-repository and config-repository to /mnt/NFS-SHARE/nmon-repository/ ;
2) When I after write this commands: but don't generate .csv file ,
alt text

     3) When I open csv_repository, this is nothing, I don't know why.

     please give me some suggestions.

      Another problem is:
      When you referred that you can first remove the $SPLUNK_HOME/var/run/nmon directory to clean any local cache, when I remove this files,  but no reposponse. Could you have another method to clean any local cache?

      Note: if i don't activate /splunk/etc/apps/nmon/bin/nmon_helper.sh and /splunk/etc/apps/nmon/bin/nmon_cleaner.sh —cleancsv, this is no data in  $SPLUNK_HOME/var/run/nmon, and I don't need to clean any local cache?

     Thanks again!
Preview file
15 KB
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...